Providing all the extra info that didn't make it into the BlackHat 2012 USA Presentation "Still Passing the Hash 15 Years Later? Using the Keys to the Kingdom to Access All Your Data" by Alva Lease 'Skip' Duckwall IV and Christopher Campbell.

Sunday, April 14, 2013

Missing PTH Tools Writeup - WMIC / WMIS / CURL

Looking back over my blog, I realized I never did a writeup on the wmi / wmis / curl with the PTH functionality. so, I'm going to do that now while I'm thinking about it ;-)

WMIC / WMIS

Windows Management Instrumentation (WMI) is officially defined by Microsoft as "the infrastructure for management data and operations on Windows-based operating systems". You can Google more, but the TLDR version is that it uses a subset of ANSI SQL to query the operating the system for various things that might be of value. You can also also interact with the Windows OS by accessing methods that are exposed by the various WMI providers. More on this in a few.

Somewhere along the way, a WMI client appeared on the net. I'm not sure from whence it came, but for a while it was being used by Zenoss to monitor Windows machines. The problem is that it was written based on an old version of Samba 4 with some additional functionality that has since been removed from the Samba 4 source tree. So, in essence, it's unsupported and getting it to work with newer versions of Samba would be painful, as one would need to recreate the functionality that got removed a few years ago.

The first tool I'm going to talk about is "wmic". This tool can be used to issue WMI queries to a Windows computer. Note, this tool is only for queries. For example:

This query will list process names and PIDS for running processes on 172.16.1.1 as seen in this picture:

The next tool is a little more interesting. I mentioned earlier that there were ways of accessing 'methods' of various underlying windows functionality. One of the most interesting ones is the "create" method from the win32_process class. This allows WMI to create a process on the remote system. It will return whether or not the process was created, so one would need to redirect output to a file and grab it somehow. The WMIS tool takes advantage of this behavior to start processes on the remote computer.

What sorts of evil things can you do from the commandline? Aside from piecing together an asynchronous shell, there's a lot of interesting things you can do... I'll let @obscuresec answer that one in a guest post here soon.... It's nice and evil, trust me...

CURL

Curl is a useful command line web utility that also has support for several other protocols, such as ftp, smtp, pop3, and others. I patched PTH functionality in as a quick method to access some of these other protocols if they prompted for NTLM authentication. The easiest example is grabbing info from a sharepoint server....

For example, if we want to log in with bob.franklin and grab his default sharepoint page we can do something like this: